Running legacy operating systems in the public sector proved to be a big issue during the recent ransomware attacks across the United Kingdom.

The government needs to set aside specific funding for cybersecurity of critical services. With everything they are dealing with on the terrorism front, security services can't be expected to prioritise protecting their internal systems over and above protecting the public.

Organisations still running these legacy operating systems, that can't be patched, need to put in place additional controls. 

At a minimum, they need to monitor these systems closely. They need to look at who has access to them and look for changes in behaviour. These systems are often the initial compromise point, so it's critical that any unusual activity is caught early.